VUDU had a Break-In – Informs Customers 18 Days Later

Those of you who have been using VUDU to watch movies may have received a rather scary email recently. No, the company didn’t get hacked. Instead, what happened was a physical break-in to their offices. Whoever did it walked away with multiple hard drives that contained important data such as customer names, encrypted passwords, addresses, and phone numbers. In other words, the hard drives had some of the personal information that most people would not want a random stranger to get a hold of.

VUDU says that the passwords that were on the hard drives were encrypted, so there’s that. The company also says that there were no full credit card numbers on the hard drives that were stolen. Even so, VUDU has reset customer’s passwords. They posted a blog about the situation that says:

There was a break-in at the VUDU offices on March 24, 2013, and a number of items were stolen, including hard drives. Our investigation thus far indicates that these hard drives contained customer information, including names, email addresses, postal addresses, phone numbers, account activity, dates of birth, and the last four digits of some credit card numbers. It’s important to note that the drives did NOT contain full credit card numbers, as we do not store that information. If you have never set a password on the VUDU site and have only logged in through another site, your password was not on the hard drives. While stolen drives included VUDU account passwords, those passwords were encrypted. We believe it would be difficult to break the password encryption, but we can’t rule out that possibility given the circumstances of this theft. Therefore, we have reset all customer passwords.

March 24, 2013 was…. let’s see… 18 days ago! That’s a really long time to wait before letting customers know that their personal information may, potentially, be in the hands of whomever broke into the VUDU offices and stole the hard drives! Their blog goes on to say:

We are still in the process of sending email messages.

This means that there could very well be some VUDU customers who have not yet been informed about the break-in. That’s rather shocking! Typically, the sooner a company lets customer’s know that their data may be in the hands of thieves, the better. I feel bad for the people who are going to read a blog about the break-in before VUDU contacts them about it. Why did they wait so long? Again, their blog has an answer:

We notified law enforcement immediately when the break-in was discovered, and have worked closely with them on the investigation. We have also worked to reconstruct the information that was included on the drives to ensure we had an accurate assessment.

Perhaps the company is aware of the potential damage customers may face due to the break-in and the length of time VUDU waited before letting people know about it. They have made arrangements for customers to be automatically eligible to receive identity protection services from AllClear ID. You can find out more about the AllClear service, what it provides, and how to enroll on VUDU’s blog. It doesn’t mention if the service is free or if there will be a charge for using it (only that customers are “eligible”).